A VPN is switched mode

Marijn Vriens marijn at metronomo.cl
Sun Jun 26 18:40:43 CEST 2005 

Hi all,


I have been using tinc successfully for a while now. 

However, I need to do something different from my normal setup, and i am
getting the feeling I am doing something obvious wrong.

What I want to do is hookup 5 distant linux routers into one bigger
network, Since I need to transmit both unicast and multicast traffic,
the VPN network has to be in "Mode = switch" [Assumption 1]

I would like to use a logical dedicated sub-net where each host on the
VPN is a router for it's own network, like so: 

(ASCII diagrams forever! :D )

 A \
B - VPN - D
 C /   \ E

The VPN network has IP 192.168.20.0/24 . This way, since I can think of
the VPN as a virtual switch where each of the routers is plugged into. 

Lets reduce the number of networks to 2, for brevity's sake.

And for example the private network behind router A is 192.168.10.0/24
and B is 192.168.12.0/24
etc.

--- NETWORK A : router Koe
# cat /etc/tinc/secnet/tinc.conf 
Name = koe
Device = /dev/tun
ConnectTo = jupiter
ConnectTo = proto3
PrivateKeyFile = /etc/tinc/secnet/rsa_key.priv
AddressFamily = ipv4
Mode = switch

# cat /etc/tinc/secnet/tinc-up 
#!/bin/sh
ifconfig $INTERFACE 192.168.20.1 netmask 255.255.255.0 


--- NETWORK B : router Jupiter
$ cat /etc/tinc/secnet/tinc.conf 
Name = jupiter
Device = /dev/tun
PrivateKeyFile = /etc/tinc/secnet/rsa_key.priv
ConnectTo = proto3
ConnectTo = koe
Mode = switch

$ cat /etc/tinc/secnet/tinc-up
#!/bin/sh
ifconfig $INTERFACE 192.168.20.2 netmask 255.255.255.0

The public keys of all the points are on all the routers and setup
like: 
# cat /etc/tinc/secnet/hosts/jupiter
Address = some.public.host
Subnet = 192.168.20.2/32
TCPOnly = yes
-----BEGIN RSA PUBLIC KEY-----

# cat /etc/tinc/secnet/hosts/koe
Address = someother.public.host
subnet = 192.168.20.1/32
TCPOnly = yes
-----BEGIN RSA PUBLIC KEY-----


As commented, I need to put the network in switched mode (need to run
multicast protocols over the VPN), and when I do that, some of the hosts
stop talking to each other. And some other connections only work when
the other host first pings. As far as I can see, it's a problem of the
arp-table not getting setup correctly. Notice that it is /some/ of the
hosts.. others have no problems.

This is the reason I have TCPOnly, since it was my hope that somehow the
firewalling rules were dumping incoming UDP packets that contain the ARP
since they are the first contact between 2 servers. But it seems to make
little difference. 

I'm sort of at a loss what could be causing these problems. Doing
TCPdumps on the external interfaces and "tincd -d5" shows that the
traffic is really hitting the tincd's but the VPN interface doesn't pass
it on. 

What i think I am doing wrong is setting the "Subnet = 192.168.20.2/32".
However changing it to 192.168.20.0/24 doesn't solve the problem.

Can anybody give me a hint about what the correct setup should be?

Kind Regards,
	Marijn.

More information about the tinc mailing list